| Commit message (Collapse) | Author | Files | Lines |
|---|
|
The default retention of 90 days seems a bit long, so drop it to 7
days.
|
|
Private forks would very quickly reach their quota or spend lots of
money trying to archive all these artifacts, so let's make sure it
only happens on our own repositories.
|
|
The expression for calculation of the _do_log values in the log_exec_*
macros need to be the same as the unit_log_level_test() function, used
to calculate _do_log in unit.h. The only difference between execute.h
and unit.h is the lack of the Unit structure.
Fixes: b646fc324a ("core: ensure execute/spawn functions can work without Unit object")
Fixes: 210ca71cb5 ("core/execute: clean up log_exec_full_errno and friends")
Signed-off-by: Łukasz Stelmach <l.stelmach@samsung.com>
|
|
Bumps pkg/debian from `733ac7c` to `4b1f868`.
---
updated-dependencies:
- dependency-name: pkg/debian
dependency-type: direct:production
...
Signed-off-by: dependabot[bot] <support@github.com>
|
|
If a user only presses ENTER when the PIN is requested (without actually typing
the PIN), an assertion is reached and no other unlock method is requested.
```
sh-5.2# systemctl status systemd-cryptsetup@cr_root
× systemd-cryptsetup@cr_root.service - Cryptography Setup for cr_root
Loaded: loaded (/etc/crypttab; generated)
Drop-In: /etc/systemd/system/systemd-cryptsetup@.service.d
└─pcr-signature.conf
Active: failed (Result: core-dump) since Thu 2024-04-25 08:44:30 UTC; 10min ago
Docs: man:crypttab(5)
man:systemd-cryptsetup-generator(8)
man:systemd-cryptsetup@.service(8)
Process: 559 ExecStartPre=/usr/bin/pcr-signature.sh (code=exited, status=0/SUCCESS)
Process: 604 ExecStart=/usr/bin/systemd-cryptsetup attach cr_root /dev/disk/by-uuid/a8cbd937-6975-4e61-9120-ce5c03138700 none x-initrd.attach,tpm2-device=auto (code=dumped, signal=ABRT)
Main PID: 604 (code=dumped, signal=ABRT)
CPU: 19ms
Apr 25 08:44:29 localhost systemd[1]: Starting Cryptography Setup for cr_root...
Apr 25 08:44:30 localhost systemd-cryptsetup[604]: Assertion '!pin || pin_size > 0' failed at src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c:60, function cryptsetup_token_open_pin(). Aborting.
Apr 25 08:44:30 localhost systemd[1]: systemd-cryptsetup@cr_root.service: Main process exited, code=dumped, status=6/ABRT
Apr 25 08:44:30 localhost systemd[1]: systemd-cryptsetup@cr_root.service: Failed with result 'core-dump'.
Apr 25 08:44:30 localhost systemd[1]: Failed to start Cryptography Setup for cr_root.
```
In this case, `cryptsetup_token_open_pin()` receives an empty (non-NULL) `pin`
with `pin_size` equals to 0.
```
🔐 Please enter LUKS2 token PIN:
Breakpoint 3, cryptsetup_token_open_pin (cd=0x5555555744c0, token=0, pin=0x5555555b3cc0 "", pin_size=0, ret_password=0x7fffffffd380,
ret_password_len=0x7fffffffd378, usrptr=0x0) at ../src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c:42
42 void *usrptr /* plugin defined parameter passed to crypt_activate_by_token*() API */) {
(gdb) continue
Assertion '!pin || pin_size > 0' failed at src/cryptsetup/cryptsetup-tokens/cryptsetup-token-systemd-tpm2.c:60, function cryptsetup_token_open_pin(). Aborting.
```
|
|
Otherwise the default log target is the console and we won't use
the journal socket even if it is available.
|
|
|
|
The portable profiles assume /etc/resolv.conf exists, which isn't
always the case. Let's mark the mounts as optional so we don't fail
to start the unit if /etc/resolv.conf doesn't exist.
|
|
We cannot mark a test suite as excluded by default in meson. Instead,
let's require that SYSTEMD_INTEGRATION_TESTS=1 and skip any integration
test if it's not set. This is effectively the same as excluding it by
default. If the integration-test option is enabled, we'll set the
environment variable by default, just like we do with SYSTEMD_SLOW_TESTS
and the slow-tests meson option.
|
|
Let's insist on mkosi being found if the integration-tests option
is enabled and let's only add dependencies on systemd-journal-remote
and systemd-measure if they're being built. Drop ukify from the list
as its part of public_programs.
|
|
Required for various integration tests.
|
|
|
|
Need full support of pidfd to work, so skip the test if it's not
available
|
|
|
|
It is not a lot of use to add --debug to tests without it
since only the last 100 lines are printed to console.
|
|
The change to add microcode support had a bug in ukify handling
that broke when it should have been picked up from ExtraSearchPaths.
|
|
|
|
Let's show the runtimes of our commands and preparations for them. It's
actually quite interesting, we sometimes are irritatingly slow with our
handoffs.
|
|
|
|
|
|
|
|
Also: rename Handover → Handoff. I think it makes it clearer that this
is not really about handing over any resources, but that the executor is
out off the game from that point on.
|
|
This changes the executor to systematically send handoff timestamps to
the service manager if a socket for that is supplied. This drops the
code that did this via Type=exec messages, and reverts that part to the
old behaviour before 93cb78aee2cff8109a5a70128287732f03d7a062.
Benefits of this approach:
1. We can collect the handoff for any command we fork off, regardless
if it's ExecStart= something else, regardless whether it's Type=exec,
Type=simple or some any other service type, regardless of the unit
type.
2. We collect both CLOCK_REALTIME and CLOCK_MONOTONIC, as we do for the
other process timestamps.
3. It's entirely backwards compatible, as this doesn't change the
protocol between service manager and executor, but just extends it.
|
|
This adds an AF_UNIX socket pair to the manager that we can collect
handoff timestamp messages on.
The idea is that forked off children send a datagram with a timestamp
and we use its sender PID to match it against the right forked off
process.
This part only implements the receiving side: a socket is created, and
listened on. Received datagrams are parsed, verified and then dispatched
to the interested units.
|
|
assert_se() should not be used here, these checks are paranoia only and
have no side-effect after all.
hence fix this to use assert(), or in fact ASSERT_PTR()
|
|
let's properly handle old kernels that have no pidfd, and use regular
pids in that case, as intended originally.
|
|
It's generated by not supported getsocktopt()/setsockopt() options, and
it's just another way for saying "not supported", hence treat it as
such.
|
|
Fixes a regression introduced by 8157cc0e3e33c97b406cc088cf001ca524154f64.
|
|
No functional change, just refactoring.
|
|
Also this made several coding style cleanups.
|
|
Including linux/icmpv6.h easily trigger conflicts when another header
includes netinet/icmp6.h. Let's drop the dependency and use our
definition of the same values.
|
|
The current output of 'systemctl list-jobs' with the --after and/or --before
switches seems backwards. With artificial units
# check-oil.service
[Unit]
Description=Check the oil level
Before=engine-ready.target
# fill-gas.service
[Unit]
Description=Fill the tank with gasoline
Before=engine-ready.target
# engine-ready.target
[Unit]
Description=The engine is ready
[Unit]
Description=Start the engine!
After=engine-ready.target
Wants=engine-ready.target
running 'systemctl list-jobs --before --after' produces
JOB UNIT TYPE STATE
93 check-oil.service start running
└─ waiting for job 94 (engine-ready.target/start) - -
102 fill-gas.service start running
└─ waiting for job 94 (engine-ready.target/start) - -
94 engine-ready.target start waiting
└─ waiting for job 111 (start-engine.service/start) - -
└─ blocking job 93 (check-oil.service/start) - -
└─ blocking job 102 (fill-gas.service/start) - -
111 start-engine.service start waiting
└─ waiting for job 1 (multi-user.target/start) - -
└─ blocking job 94 (engine-ready.target/start) - -
Obviously, job 93 is not waiting for job 94, but rather blocking it.
|
|
socket and service units output there ExecCommand/ExecStatus definitions
already, but this was missing in mount/swap. Fix that.
|
|
virtiofs cannot be used as the upper fs for overlayfs, so skip all
the sysext mutable tests that would try to use virtiofs as the
upper fs.
|
|
|
|
|
|
|
|
|
|
We have pretty much the same code here, let's reuse the common
implementation.
|
|
This is both easier to read and allows us to reuse the helper later.
|
|
It is not needed, it publishes things like dotnet, and it is often
broken, so just remove the sources
|
|
|
|
The prototype was static, but the implementation was not. Make both
static, this is otherwise too confusing. (This doesn't actually change
anything, since the prototype decides about this anyway, but it makes
things easier to read.)
|
|
While stracing PID1's forking off of children I noticed that every
single forked off child reads cap_last_cap from procfs. That value is a
kernel constant, hence we can save a lot of work if we'd cache it.
Thing is, we actually do cache it, in a thread_local cache field. This
means that the forked off processes (which are considered new threads)
will have to re-query it, even though we already know the result.
Hence, let's get rid of the thread_local stuff (given that the value is
going to be the same for all threads anyway, and we pretty much have a
single thread only anyway). Use an C11 atomic_int instead, which ensures
the value is either initialized or not initialized, but we don't need to
be concerned of partial initialization.
This makes the cap_last_cap reading go away in the children, as strace
shows (since cap_last_cap() is already called by PID 1 before
fork()ing, anyway).
|
|
Follow-up for 8518f4a814426e7a92342298353a4cd9508cb33b
|
|
|
|
|
|
Otherwise if the file is full of holes we get the wrong size and
we'll fail later on.
|
|
supported
|
|
As requested in review.
|
